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March 25, 2015 


The Honorable Michael Burgess, MD The Honorable Marsha Blackburn 
United States House of Representatives United States House of Representatives 
2241 Rayburn House Office Building 2266 Rayburn House Office Building 
Washington, D.C. 20515 Washington, D.C. 20515 

The Honorable David Loebsack The Honorable Peter Welch 

United States House of Representatives United States House of Representatives 
1527 Longworth House Office Building 2303 Rayburn House Office Building 
Washington, DC 20515-1502 Washington, D.C. 20515 


Dear Chairman Burgess, Representative Blackburn, Representative Loebsack, and 
Representative Welch: 


On behalf of its members, BSA | The Software Alliance+ (BSA) is pleased to support your draft 
Data Security and Breach Notification Act (H.R. ). BSA members strongly support enacting a 
national data security and data breach notification law, because it is important that we maintain 
trust and confidence in digital commerce. BSA commends you for your leadership to address the 
important issues of data security and data breach notification. 


A data breach can pose significant risk to consumers and can erode public trust in the online 
world. BSA members are committed to ensuring that customers whose data has been stolen are 
notified in a prompt and effective manner so that they can mitigate damage to their personal and 
financial wellbeing. We believe your bill makes a number of important and useful contributions to 
improving the security of personal data. 


While the effects of a data breach are rarely, if ever, restrained to one state or jurisdiction, entities 
holding sensitive information are currently subject to a burdensome patchwork of conflicting state 
data breach notification laws. Thus, we are pleased that H.R. ___ would provide a much needed 
national standard for data breach notification. A consistent standard allows our member 
companies to focus their efforts and resources on improving security, and providing timely 
notification to customers affected by a breach, rather than on compliance with a diverse set of 
laws. We also appreciate that the bill enables victims of a data breach to assess the scope of a 
potential breach and make necessary steps to secure information systems in advance of 
notification requirements. Requiring companies to notify potentially affected individuals before 
assessing the scope of a breach and taking steps to mitigate its effects can create further 
significant security vulnerabilities. 


1 BSA’s members include: Adobe, Altium, ANSYS, Apple, Autodesk, Bentley Systems, CA Technologies, 


CNC/Mastercam, Dell, IBM, Intuit, Microsoft, Minitab, Oracle, salesforce.com, Siemens PLM Software, Symantec, Tekla, 
The MathWorks, and Trend Micro. 
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Although BSA supports H.R. ___, our members would also like to work with the Committee to 
improve the bill. For instance, we request the removal of ‘economic loss or economic harm’ as a 
trigger for breach notification, which we believe adds uncertainty to the bill, and is adequately 
covered by ‘financial fraud’. Further, we request greater clarification for notification requirements 
for third parties to remedy vulnerabilities. Finally, we’re concerned at the high level of potential 
penalties for failure to comply with the statute. While we agree that companies should make best 
efforts to notify customers of a breach of their personal information, it is important to recognize 
that entities suffering a data breach are also victims of an intentional crime. 


H.R. is a positive step in ensuring organizations have better guidance in the event of a 
breach of their systems. We look forward to further working on this bill as it moves through the 
legislative process. 


Sincerely, 


Ah 2.0 


Victoria Espinel 
President and CEO 
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